CSHARP-4448: Implement OIDC SASL mechanism

Author: Oleksandr Poliakov

build.cake

@@ -257,6 +257,13 @@ Task("TestGssapiNetStandard20").IsDependentOn("TestGssapi");
 Task("TestGssapiNetStandard21").IsDependentOn("TestGssapi");
 Task("TestGssapiNet60").IsDependentOn("TestGssapi");
 
+Task("TestMongoDbOidc")
+    .IsDependentOn("Build")
+    .DoesForEach(
+        items: GetFiles("./**/MongoDB.Driver.Tests.csproj"),
+        action: (BuildConfig buildConfig, Path testProject) =>
+            RunTests(buildConfig, testProject, filter: "Category=\"MongoDbOidc\""));
+
 Task("TestServerless")
     .IsDependentOn("Build")
     .DoesForEach(
@@ -692,7 +699,7 @@ public class BuildConfig
 string[] CreateLoggers(string projectName)
 {
     var testResultsFile = outputDirectory.Combine("test-results").Combine($"TEST-{projectName}-{target.ToLowerInvariant()}-{DateTimeOffset.UtcNow.ToUnixTimeMilliseconds()}.xml");
-    
+
     // Evergreen CI server requires JUnit output format to display test results
     var junitLogger = $"junit;LogFilePath={testResultsFile};FailureBodyFormat=Verbose";
     var consoleLogger = "console;verbosity=detailed";

evergreen/evergreen.yml

@@ -452,6 +452,11 @@ functions:
       params:
         file: mongo-csharp-driver/benchmarks/MongoDB.Driver.Benchmarks/Benchmark.Artifacts/results/evergreen-results.json
 
+  assume-ec2-role:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+
   add-aws-auth-variables-to-file:
     - command: ec2.assume_role
       params:
@@ -707,6 +712,19 @@ functions:
             -v \
             --fault revoked
 
+  run-mongodb-oidc-tests:
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: mongo-csharp-driver
+        binary: bash
+        include_expansions_in_env:
+          - "DRIVERS_TOOLS"
+          - "OS"
+          - "FRAMEWORK"
+        args:
+          - evergreen/run-mongodb-oidc-tests.sh
+
   run-serverless-tests:
     - command: shell.exec
       type: test
@@ -1237,6 +1255,11 @@ tasks:
       commands:
         - func: run-atlas-search-index-helpers-test
 
+    - name: test-oidc-auth-aws
+      commands:
+        - func: assume-ec2-role
+        - func: run-mongodb-oidc-tests
+
     - name: test-serverless
       exec_timeout_secs: 2700 # 45 minutes: 15 for setup + 30 for tests
       commands:
@@ -2218,6 +2241,12 @@ buildvariants:
   tasks:
     - name: plain-auth-tests
 
+- matrix_name: mongodb-oidc-tests
+  matrix_spec: { os: [ "windows-64", "ubuntu-2004", "macos-1100" ] }
+  display_name: "MongoDB-OIDC Auth tests - ${os}"
+  tasks:
+    - name: test-oidc-auth-aws
+
 - matrix_name: "ocsp-tests"
   matrix_spec: { version: ["4.4", "5.0", "6.0", "7.0", "rapid", "latest"], auth: "noauth", ssl: "ssl", topology: "standalone", os: "windows-64" }
   display_name: "OCSP ${version} ${os}"

evergreen/run-mongodb-oidc-azure-tests.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Don't trace since the URI contains a password that shouldn't show up in the logs
+set -o errexit # Exit the script with error if any of the commands fail
+
+DOTNET_SDK_PATH="$(pwd)/.dotnet"
+
+echo "Downloading .NET SDK installer into $DOTNET_SDK_PATH folder..."
+curl -Lfo ./dotnet-install.sh https://dot.net/v1/dotnet-install.sh
+echo "Installing .NET LTS SDK..."
+bash ./dotnet-install.sh --channel 6.0 --install-dir "$DOTNET_SDK_PATH" --no-path
+export PATH=$PATH:$DOTNET_SDK_PATH
+
+echo "test variables"
+
+source ./env.sh
+cat ./env.sh
+
+MONGODB_URI="mongodb://${OIDC_ADMIN_USER}:${OIDC_ADMIN_PWD}@${MONGODB_URI:10}?authSource=admin"
+
+echo "Final MongoUri:"
+echo $MONGODB_URI
+
+dotnet test --no-build --framework net6.0 --filter Category=MongoDbOidc -e OIDC_ENV=azure -e TOKEN_RESOURCE="${AZUREOIDC_RESOURCE}" -e MONGODB_URI="${MONGODB_URI}" --results-directory ./build/test-results --logger "console;verbosity=detailed" ./tests/MongoDB.Driver.Tests/bin/Debug/net6.0/MongoDB.Driver.Tests.dll

evergreen/run-mongodb-oidc-tests.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Don't trace since the URI contains a password that shouldn't show up in the logs
+set -o errexit # Exit the script with error if any of the commands fail
+
+############################################
+#            Main Program                  #
+############################################
+
+if [ "$OS" = "Windows_NT" ]; then
+  for var in TMP TEMP NUGET_PACKAGES NUGET_HTTP_CACHE_PATH APPDATA; do
+    setx $var z:\\data\\tmp
+    export $var=z:\\data\\tmp
+  done
+else
+  for var in TMP TEMP NUGET_PACKAGES NUGET_HTTP_CACHE_PATH APPDATA; do
+    export $var=/data/tmp;
+  done
+fi
+
+# Make the OIDC tokens.
+set -x
+OIDC_ENV=${OIDC_ENV:-"test"}
+
+if [ $OIDC_ENV == "test" ]; then
+  # Make sure DRIVERS_TOOLS is set.
+  if [ -z "$DRIVERS_TOOLS" ]; then
+    echo "Must specify DRIVERS_TOOLS"
+    exit 1
+  fi
+
+  source ${DRIVERS_TOOLS}/.evergreen/auth_oidc/secrets-export.sh
+  if [[ ! $OS =~ ubuntu.* ]]; then
+    # Ubuntu uses local server with already build admin credentials in connection string
+    MONGODB_URI="mongodb+srv://${OIDC_ADMIN_USER}:${OIDC_ADMIN_PWD}@${MONGODB_URI:14}?authSource=admin"
+  fi
+elif [ $OIDC_ENV == "azure" ]; then
+  source ./env.sh
+else
+  echo "Unrecognized OIDC_ENV $OIDC_ENV"
+  exit 1
+fi
+
+export OIDC_ENV=$OIDC_ENV
+export MONGODB_URI=$MONGODB_URI
+
+if [ "Windows_NT" = "$OS" ]; then
+  powershell.exe .\\build.ps1 --target "TestMongoDbOidc"
+else
+  ./build.sh --target="TestMongoDbOidc"
+fi

specifications/auth/tests/README.md

@@ -0,0 +1,47 @@
+# Auth Tests
+
+## Introduction
+
+This document describes the format of the driver spec tests included in the JSON and YAML files included in the `legacy`
+sub-directory. Tests in the `unified` directory are written using the
+[Unified Test Format](../../unified-test-format/unified-test-format.md).
+
+The YAML and JSON files in the `legacy` directory tree are platform-independent tests that drivers can use to prove
+their conformance to the Auth Spec at least with respect to connection string URI input.
+
+Drivers should do additional unit testing if there are alternate ways of configuring credentials on a client.
+
+Driver must also conduct the prose tests in the Auth Spec test plan section.
+
+## Format
+
+Each YAML file contains an object with a single `tests` key. This key is an array of test case objects, each of which
+have the following keys:
+
+- `description`: A string describing the test.
+- `uri`: A string containing the URI to be parsed.
+- `valid:` A boolean indicating if the URI should be considered valid.
+- `credential`: If null, the credential must not be considered configured for the the purpose of deciding if the driver
+  should authenticate to the topology. If non-null, it is an object containing one or more of the following properties
+  of a credential:
+  - `username`: A string containing the username. For auth mechanisms that do not utilize a password, this may be the
+    entire `userinfo` token from the connection string.
+  - `password`: A string containing the password.
+  - `source`: A string containing the authentication database.
+  - `mechanism`: A string containing the authentication mechanism. A null value for this key is used to indicate that a
+    mechanism wasn't specified and that mechanism negotiation is required. Test harnesses should modify the mechanism
+    test as needed to assert this condition.
+  - `mechanism_properties`: A document containing mechanism-specific properties. It specifies a subset of properties
+    that must match. If a key exists in the test data, it must exist with the corresponding value in the credential.
+    Other values may exist in the credential without failing the test.
+
+If any key is missing, no assertion about that key is necessary. Except as specified explicitly above, if a key is
+present, but the test value is null, the observed value for that key must be uninitialized (whatever that means for a
+given driver and data type).
+
+## Implementation notes
+
+Testing whether a URI is valid or not should simply be a matter of checking whether URI parsing (or MongoClient
+construction) raises an error or exception.
+
+If a credential is configured, its properties must be compared to the `credential` field.